Mary Richard is recognized as one of pioneers in health care law in Oklahoma. She has represented institutional and non-institutional providers of health services, as well as patients and their families.

Q: What attention has the FBI recently given to protect Protected Health Information (“PHI”) from cyber criminals?

A: Under a “Private Industry Notification” dated March 22, the FBI’s Cyber Division has provided guidance that’s applicable specifically to medical and dental providers and focuses on protection of sensitive, identifiable health information.

Q: What does the notice specifically recommend?

A: The notification recommends these health care providers request that their IT services personnel take steps to further secure the information from cyber threats by checking networks for File Transfer Protocol (“FTP”) servers running in anonymous mode. FTPs routinely are used to transport information between network hosts. This is the case, for example, when a covered entity such as a hospital or group practice transfers information to a business associate, such as a billing company or a third-party payer, for the purpose of submitting claims for services provided.

Q: What does “anonymous mode” mean and what threat does it represent?

A: “Anonymous mode” refers to the situation where an FTP server can be structured to permit users who are anonymous, doesn’t require a password to enter, and accepts common user names such as “anonymous” or “FTP.” The danger is that, in such circumstances, sensitive patient information stored on a server could be accessed with little or no security.

Q: Why does the FBI guidance focus specifically on health care?

A: Research conducted at the University of Michigan in 2015 resulted in a finding that more than one million FTP servers would allow such access. According to the FBI, some computer security researchers seek servers in anonymous mode as part of legitimate research, but others make such connections to facilitate nefarious activities such as launching cyber attacks, hacking, blackmailing, harassing and intimidating business owners. It’s the FBI’s purpose issuing this new guidance to both make health care business aware of the risks represented in their IT systems and to shore up weaknesses that pose cyber security risks. In addition to the precautions urged in the notice, the FBI has previously urged companies to buy and implement ransomware.

Q: Should additional actions be taken by medical and dental health care entities to provide additional protections against cyber crime?

A: The FBI encourages medical and dental health care entities to report suspicious or criminal activity to the local FBI field office (locate via www.fbi.gov/contact-us/field) or the FBI’s 24/7 Cyber Watch, CyWatch 855-292-3937 or CyWatch@ic.fbi.gov. Submitted reports must include available information regarding the date, time, location, type of activity, number of people and type of equipment used for the activity, the name and contact person for the entity submitting the report. Victim complaints can be filed with the internet Crime Complaint Center at www.ic3.gov.